VGMdb
Go Back   VGMdb Forums > VGMdb Site Related > News and Announcements
Register FAQ Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old Oct 14, 2017, 05:51 PM
Gigablah's Avatar
Gigablah Gigablah is offline
VGMdb Administrator
 
Join Date: May 2007
Posts: 2,341
Default Making VGMdb more secure: HTTPS support

VGMdb is now available for browsing through a private, encrypted connection at https://vgmdb.net !

With over half of Internet traffic now secured through SSL/TLS, and browsers starting to hold non-secure sites accountable, implementing HTTPS protection is now a necessity.

During the initial phase you may run into bad redirects to the non-https site or mixed content warnings; please report them so we can get it fixed. Once it's verified that everything is working well, we can turn on HSTS and enforce secure browsing by default.
Reply With Quote
  #2  
Old Oct 16, 2017, 01:10 AM
CHz's Avatar
CHz CHz is offline
VGMdb Administrator
 
Join Date: May 2007
Posts: 3,152
Default

RSS feeds give out HTTP links when accessed over HTTPS:

https://vgmdb.net/db/rss.php
https://vgmdb.net/album/new/feed
https://vgmdb.net/album/upcoming/feed
https://vgmdb.net/artist/1/feed

I don't know how many others there are lying around
Reply With Quote
  #3  
Old Oct 18, 2017, 04:03 PM
Datschge's Avatar
Datschge Datschge is offline
Trusted Editor
 
Join Date: Mar 2008
Posts: 662
Default

To be honest HSTS is quite a hassle I'd only do as a final step. Just forcible upgrading every access to https and getting a better TLS security rating is sufficient.

Thanks for the efforts in any case!
Reply With Quote
  #4  
Old Oct 21, 2017, 02:20 AM
LiquidAcid LiquidAcid is offline
Trusted Editor
 
Join Date: May 2008
Posts: 1,479
Default

I guess then a few other HTTPS issues have to be addressed as well:
- first redirection when entering a new shop link with https prefix
- Amazon Japan shop link filtering if the link has https prefix

I've just added a link here, and both the first direction fails, and the Link shows up on the album page (which it shouldn't).
Reply With Quote
  #5  
Old Oct 21, 2017, 03:37 AM
nextday's Avatar
nextday nextday is offline
VGMdb Staff
 
Join Date: May 2011
Location: Texas
Posts: 1,640
Default

To be honest, I'd rather not be redirected at all when adding shop links. It's annoying.
Reply With Quote
  #6  
Old Oct 21, 2017, 04:11 AM
Gigablah's Avatar
Gigablah Gigablah is offline
VGMdb Administrator
 
Join Date: May 2007
Posts: 2,341
Default

The links in the RSS feeds have been fixed.

The shop links code will need some refactoring. The redirection was originally for visual confirmation that the link works, but we can make this a background job.
Reply With Quote
  #7  
Old Oct 21, 2017, 04:20 AM
Efendija's Avatar
Efendija Efendija is offline
VGMdb Staff
 
Join Date: Aug 2011
Location: Serbia /састеганаебали
Posts: 1,838
Default

First (automatic) redirection to a https shop link is always failing, not something which happens on VGMdb https site version only (clarifying that just in case).

Also noting that every Amazon link (not exclusive to Japan ones) will be shown on the album page if entered with https. About the filtering in the first place though, isn't it perhaps time to stop it? More than five years passed since the incident (closer to six actually) and some of us are regularly adding (visible) Amazon links with no problems whatsoever.

Last edited by Efendija; Oct 21, 2017 at 05:09 AM.
Reply With Quote
  #8  
Old Nov 2, 2017, 11:12 AM
Alcahest's Avatar
Alcahest Alcahest is offline
Senior Member
 
Join Date: Apr 2008
Posts: 138
Default

All images (album images, preview, front, etc..) have stopped showing up on Win XP SP3 (while browing with either http or https).
Code:
media.vgm.io
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS 1.2
The rest of the site still works perfectly fine using https.
Code:
vgmdb.net
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS 1.0
Hoping there's a solution..

Last edited by Alcahest; Nov 2, 2017 at 05:07 PM.
Reply With Quote
  #9  
Old Nov 8, 2017, 06:23 AM
Gigablah's Avatar
Gigablah Gigablah is offline
VGMdb Administrator
 
Join Date: May 2007
Posts: 2,341
Default

Quote:
Originally Posted by Alcahest View Post
All images (album images, preview, front, etc..) have stopped showing up on Win XP SP3 (while browing with either http or https).
Code:
media.vgm.io
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS 1.2
media.vgm.io (and sibling subdomains) are proxied by Cloudflare. Apparently the free plan doesn't have SHA-1 fallback for older browsers (e.g. those on Win XP): https://support.cloudflare.com/hc/en...rowser-Support

I've upgraded to a monthly paid plan. Please let me know if that fixes images on your side.


Quote:
Originally Posted by dancey View Post
can you make http:// automatically redirect to https:// when hitting regular http:// URLs?
Yep, that's indeed what I plan to do, after the legacy browser issue is confirmed fixed.

I think I'll be using redirect rules, though. HSTS can screw up the site if it's not done properly.
Reply With Quote
  #10  
Old Nov 8, 2017, 06:29 AM
Alcahest's Avatar
Alcahest Alcahest is offline
Senior Member
 
Join Date: Apr 2008
Posts: 138
Default

Quote:
Originally Posted by Gigablah View Post
media.vgm.io (and sibling subdomains) are proxied by Cloudflare. Apparently the free plan doesn't have SHA-1 fallback for older browsers (e.g. those on Win XP): https://support.cloudflare.com/hc/en...rowser-Support

I've upgraded to a monthly paid plan. Please let me know if that fixes images on your side.
Absolutely, the images are back!
Thank you very much.
(So now the site works also 100% with https on legacy browsers / XP)

Last edited by Alcahest; Nov 8, 2017 at 06:42 AM.
Reply With Quote
  #11  
Old Nov 2, 2017, 02:37 PM
dancey's Avatar
dancey dancey is offline
Trusted Editor
 
Join Date: Dec 2007
Location: New Jersey
Posts: 889
Default

I have no idea how it works or how to do it, but can you make http:// automatically redirect to https:// when hitting regular http:// URLs? I usually access the site by typing "vgmd" in Chrome omnibar and then hitting down arrow + enter to hit the first cache result, which is vgmdb.net/forums/search.php?do=getnew. Or by typing "vgmdb.net search criteria" to automatically start a search.

I think most websites do this automatically because it's never anything I have to think about. For example, if I manually type "http://www.paypal.com", I get automatically redirected to https:. I assume websites have some sort of "you're using a client that supports https so we're going to serve that to you automatically" thing, but :shrug:
Reply With Quote
  #12  
Old Nov 2, 2017, 03:53 PM
Nisto's Avatar
Nisto Nisto is offline
VGMdb Staff
 
Join Date: Sep 2009
Posts: 1,124
Default

dancey: that's essentially what HSTS is for. So once they've confirmed that links are working properly, Gigablah will enable it and the site should start redirecting non-secure connections to https://
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump